Windows Event Collector (WEC)

The AxoRouter Windows Events connector can receive Windows Event Logs by running a Windows Event Collector (WEC) server. After enabling the Windows Events connector, you can configure your Microsoft Windows hosts to forward their event logs to AxoRouter using Windows Event Forwarding (WEF).

Windows Event Forwarding (WEF) reads any operational or administrative event logged on a Windows host and forwards the events you choose to a Windows Event Collector (WEC) server - in this case, AxoRouter.

Prerequisites

When using TLS authentication, you’ll need a

  • CA certificate (in PEM format) that AxoRouter uses to authenticate the clients.
  • A certificate and the matching private key (in PEM format) that AxoRouter shows to the clients.

These files must be available on the AxoRouter host, and readable by the axorouter service for the connector to work.

Add new Windows Event Log connector

To add a new connector to an AxoRouter host, complete the following steps.

  1. Select Connectors > Create new rule. (Alternatively, you can select Add Connector > Create a connector rule on the Connectors page of an AxoRouter host.)

    Connector rules list

  2. Select Windows Events.

  3. Configure the connector rule.

    1. Enter a name for the connector rule into the Rule Name field.

    2. (Optional) Add labels to the connector rule. You will be able to use these labels in Flow Processing steps, for example, in the Query field of Select Messages steps.

    3. Set the Router Selector for the connector rule. The selector determines which AxoRouter instances will have a connector based on this connector rule.

      Router selectors

      • If you leave the Router Selector field empty, the rule will match every AxoRouter instance.
      • To select only a specific AxoRouter instance, set the name field with the name of the instance as selector.
      • If you set multiple fields in the selector, the connector rule will apply only to AxoRouter instances that match all elements of the selector. (There in an AND relationship between the fields.)

    4. (Optional) Enter a Suffix for the connector rule. This suffix will be used in the name of the connector instances created on the AxoRouter hosts. For example, if the name of a matching AxoRouter instance is “my-axorouter”, and the suffix of the rule is “otlp-rule”, the connector created for the AxoRouter will be named “my-axorouter-otlp-rule”.

      If the Suffix field is empty, the name of the connector rule is used instead.

    5. (Optional) Enter a description for the rule.

  4. Configure the protocol-level settings of the connector.

    WEC protocol settings

    1. Set the Hostname field. The clients will address this hostname. Note that:

      • The Common Name of the server’s certificate (set in the following steps) must contain this hostname, otherwise the clients will reject the connection.
      • You’ll have to use this hostname when configuring the Subscription Manager address in the Group Policy Editor.

    2. (Optional) If for some reason don’t want to run the connection on the default port (5986), adjust the Port field.

    3. Set the paths for the certificates and keys used for the TLS-encrypted communication with the clients.

      Use absolute paths (for example, /etc/axorouter/user-config/tls-key.pem). The key and the certificate must be in PEM format. You have to make sure that these files are available on the AxoRouter host, currently you can’t distribute them from Axoflow Console.

      • CA certificate path: The CA certificate that AxoRouter uses to authenticate the clients. If you want to limit which clients are accepted, set the More options > Certificate subject filter field.
      • Server certificate path: The certificate that AxoRouter shows to the clients.
      • Server private key path: The private key of the server certificate.

  5. Configure the subscriptions of the connector.

    WEC subscription settings

    1. Select Add new Subscription.

    2. (Optional) Set a name for the subscription. If you leave it empty, Axoflow Console automatically generates a name.

    3. Enter the event filter query into the Query field. This query specifies which events are collected by the subscription. For details on the query syntax, see the Microsoft documentation.

      A single query can retrieve events from a maximum of 256 different channels.

      For example, the following example queries every event from the Security, System, Application, and Setup channels.

      <Query Id="0">
    <Select Path="Application">*</Select>
    <Select Path="Security">*</Select>
    <Select Path="Setup">*</Select>
    <Select Path="System">*</Select>
</Query>

    4. (Optional) If needed, you can configure other low-level options in the More options section. For details, see Additional options.

  6. Select Create.

    Axoflow automatically creates connectors on the AxoRouter hosts that match the Router Selector.

    Make sure to enable the ports you’ve configured in the connector on the firewall of the AxoRouter host, and on other firewalls between the AxoRouter host and your data sources.

  7. Configure Windows Event Forwarding (WEF) on your clients to forward their events to the AxoRouter WEC connector.

    When configuring the Subscription Manager address in the Group Policy Editor, use the hostname you’ve set in the connector

    Windows Group Policy Editor

Additional options

You can set the following options of the WEC connector under Subscriptions > More options.

WEC more settings

  • Certificate subject filter: A simple string to filter the clients based on the Common Name of their certificate. You can use the * and ? wildcard characters.

  • UUID: A unique ID for the subscription. If empty, Axoflow Console automatically generates it.

  • Heartbeat interval: The number of seconds, before the client will send a heartbeat message. The client sends heartbeat messages if it has no new events to send. Default value: 3600s

  • Connection retry interval: Time between reconnection attempts. Default value: 60s

  • Connection retry count: Number of times the client will attempt to reconnect if AxoRouter is unreachable. Default value: 10

  • Max time: The maximum number of seconds the client aggregates new events before sending them in a batch. Default value: 30s

  • Max elements: The maximum number of events that the client aggregates before sending them in a batch. By default it’s empty, meaning that only the Max time and Max envelope size options limit the aggregation. Default value: empty

  • Max envelope size: The maximum number of bytes in the SOAP envelope used to deliver the events. Default value: 512000 bytes

  • Locale: The language in which rendering information is expected, for example, en-US. Default value: Client choose

  • Data locale: The language in which numerical data is expected to be formatted, for example, en-US. Default value: Client choose

  • Read existing events: If enabled (Yes), the event source sends:

    • all existing events that match the filter, and
    • any events that subsequently occur for that event source.

    If disabled (No), existing events will be ignored.

    Default value: No

  • Ignore channel error: Subscription queries that result in errors will terminate the processing of the clients. Enable this option to ignore such errors. Default value: Yes

  • Content format: Determines whether to include rendering information (RenderedText) with events or not (Raw). Default value: Raw

Metadata fields

The AxoRouter Windows Events connector adds the following fields to the meta variable:

field value
meta.connector.type windowsEvents
meta.connector.name <name of the connector>
meta.connector.port <port of the connector>